Trust Instead of Control

by Sheetal Joseph - 28 Jan 2016

With the introduction of Radical Agility at Zalando Technology, our motto has become: “trust instead of control”. This change to the organisational culture has also made an impact on how we do security at Zalando, from a command and control mode, to enabling people to make the right decisions and do the right thing at the right time. Our focus is now strongly on people, and we believe this should be true in any organisation employing even the best technical solutions.

“Security is both a feeling and a reality. And they're not the same… security is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures.”- Bruce Schneier, Cryptographer, Security Technologist and Author

Sometimes, security is reduced to our psychological reaction to a given situation. How we change this reaction can make all the difference to a security program. From cracking the German Enigma Cryptosystem, to the Stuxnet worm, to the most talked about Ashley Madison hack last year, human error remains the one consistent contributor to most security incidents. Though people can be the weakest link of security, at the same time they can also be trained to be the greatest strength.

For these reasons, our security team at Zalando intends to focus on people and create a security mindset. To generate security awareness in a meaningful and entertaining way, we’re creating more interactive and rewarding experiences with our employees instead of subjecting them to trainings, videos and tutorials on security. We have termed these programs our “Fun Factor.” We hope our engineers at Zalando will wholeheartedly enjoy these exercises that utilise their engineering mindset of “breaking and fixing stuff.”

Here are some of the initiatives we have introduced:

1. Internal Bug Bounty program

The primary aim of this program is to get every engineer at Zalando to participate in the process of finding and reporting security bugs in our internal and external systems, and get rewarded in the process! Apart from motivating every employee to participate in security activities and thereby creating an awareness of what threats they themselves could be susceptible to, the program also has a number of other benefits including:

Increased awareness of security issues in our operating environment

Improvement of the company’s security posture

Reduction in the level of insider threats

2. The Security Champion Program

In this program, we invite one person from every team at Zalando Technology to champion the cause of security. These champions are the sentinels and security guides of their teams. We train champions on all concepts of security that teams need to be cautious about while building products. Topics range from various credit card security requirements and data protection laws, to security concepts regarding secure coding and secure design principles and even what to be careful about when dealing with third parties.

We also encourage the security champions to collaborate with each other, exchange their thoughts on the day-to-day security issues they face and create their own agendas for further action every week. As a company we benefit from this because we empower teams with decision making capability from the very start of a project.

3. Security “Capture the Flag” Contests

We organised a very successful capture the flag hacking contest during the recent Zalando Hack Week in December 2015. Capture the Flag contests are an excellent way to simulate a real world hacking experience and to enable participants to understand security loopholes. These learnings could then be used by them to build more secure products.

4. Security Movie Nights

We organise security movie nights where we showcase movies that have a focus on security. The aim is for people to come together in a relaxed atmosphere with free beer and pizza, enjoy the movie and get an opportunity to directly interact and speak with the Security Team throughout the evening.

5. Security Workshops

Security workshops are two-hour workshops given by experts in the Security Team on various hacking techniques like SQL injection, cross site scripting and the intricacies of an attack. Employees have shown a great amount of interest in these topics, and we think this will again lead to safer coding practices.

We believe these programs will create an environment and mentality that is required to build products that are secure by default. We want every engineer at Zalando to be a Security Superhero! We are curious to know what other companies are doing in this regard, and look forward to collaborating with you to make security fun. Start the conversation with us on Twitter!